WeOSIPsec in Legacy Mode (IKEv1)
About
This document provides a configuration example for establishing an IPsec tunnel in a Site-to-Site scenario between WeOS 5 and WeOS 4 devices using the IKEv1 version of the IPsec protocol. It is intended for users who need to interoperate with legacy WeOS 4 installations or third-party devices that only support IKEv1.
Introduction
Internet Key Exchange version 1 (IKEv1) is the original protocol for negotiating IPsec security associations. While IKEv2 is recommended for new deployments due to its improved security and efficiency, IKEv1 is still required for compatibility with older devices and some third-party equipment.
Site-to-Site Scenario
A typical site-to-site VPN connects two separate networks securely over the Internet. For example, a company may want to connect two offices using a tunnel, where Site A uses a new WeOS 5 device and Site B uses an older WeOS 4 device as their respective gateways. In this example, WeOS 5 acts as the initiator and WeOS 4 as the responder. Each site has its own local subnet, and the tunnel is established between two VLAN interfaces.
Network Topology
[Site A: WeOS 5] [Site B: WeOS 4]
192.168.15.1/24 (vlan1000) 192.168.45.1/24 (vlan1000)
10.0.1.15/24 (vlan100) 10.0.1.45/24 (vlan100)
| |
|--------- IPsec Tunnel----------|
| (IKEv1) |
Figure 1: Site-to-site tunnel using IPsec IKEv1.
Both gateways have two interfaces configured: first, vlan1000, connected to
the respective internal subnet, and second, vlan100, exposed to the outside
network.
The IPsec tunnel (using IKEv1, supported by both versions of WeOS) securely
connects the two sites over the Internet or another untrusted network. This
allows devices on the 192.168.15.1/24 network at Site A to communicate securely
with devices on the 192.168.45.1/24 network at Site B, as if they were on the
same local network.
Configuration
WeOS 5 Configuration (Initiator)
Enter configuration mode and set up the VLANs and interfaces. Then configure the IPsec tunnel as follows:
siteA:/conf/#> tunnel ipsec 1 siteA:/conf/tunnel/ipsec-1/#> initiator siteA:/conf/tunnel/ipsec-1/#> version 1 siteA:/conf/tunnel/ipsec-1/#> peer 10.0.1.45 siteA:/conf/tunnel/ipsec-1/#> local-address 10.0.1.15 siteA:/conf/tunnel/ipsec-1/#> remote-subnet 192.168.45.0/24 siteA:/conf/tunnel/ipsec-1/#> local-subnet 192.168.15.0/24 siteA:/conf/tunnel/ipsec-1/#> ike auth sha256 cipher aes256 dh modp2048 siteA:/conf/tunnel/ipsec-1/#> esp auth sha256 cipher aes256 dh modp2048 siteA:/conf/tunnel/ipsec-1/#> secret westermo siteA:/conf/tunnel/ipsec-1/#> leave
Explanation:
initiatorspecifies that this device will initiate the tunnel.version 1selects IKEv1.peeris the IP address of the remote WeOS 4 device.local-addressandlocal-subnetdefine the local interface and protected network.remote-subnetis the network behind the peer.- The
ikeandesplines set the cryptographic parameters. Note that you cannot leave them at the defaultAutosetting because WeOS 4 does not support that; therefore, select the most secure proposal supported. secretsets the pre-shared key.
WeOS 4 Configuration (Responder)
On the WeOS 4 device, configure the VLANs, interfaces, and IPsec tunnel. Use the provided Management Guide for additional help. Below are the essential commands for IPsec configuration:
siteB:/conf/#> tun ip 1 siteB:/conf/tunnel/ipsec-1/#> peer 10.0.1.15 siteB:/conf/tunnel/ipsec-1/#> outbound vlan100 siteB:/conf/tunnel/ipsec-1/#> remote-subnet 192.168.15.0/24 siteB:/conf/tunnel/ipsec-1/#> local-subnet 192.168.45.0/24 siteB:/conf/tunnel/ipsec-1/#> secret westermo siteB:/conf/tunnel/ipsec-1/#> leave
Explanation:
peeris the WeOS 5 device.outbound vlan100specifies the outgoing interface for the tunnel.remote-subnetandlocal-subnetdefine the protected networks.secretmust match the pre-shared key on WeOS 5.
Verification
After applying the configuration, you can verify the tunnel status on both devices.
On WeOS 5:
siteB:/#> sh tun ipsec
ID DESCRIPTION STATUS TIME (since last rekey)
1 ipsec1 Up(Installed) 5 min 25 sec
siteB:/#> sh tun ipsec 1
Current state for tunnel ipsec1 is UP(Installed).
Security-Association(SA) details:
ipsec1: #33834, ESTABLISHED, IKEv1, d3309517c6364582_i* 4e6a8ddc2932d8ce_r
local '10.0.1.15' @ 10.0.1.15[500]
remote '10.0.1.45' @ 10.0.1.45[500]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 327s ago, rekeying in 13097s
tunnel1: #55, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
installed 327s ago, rekeying in 3173s, expires in 3633s
in ccc4b9b2, 0 bytes, 0 packets
out ba951356, 0 bytes, 0 packets
local 192.168.15.0/24
remote 192.168.45.0/24
Loaded configuration for the connection:
ipsec1: IKEv1, reauthentication every 14400s, dpd delay 30s
local: 10.0.1.15
remote: 10.0.1.45
local pre-shared key authentication:
id: 10.0.1.15
remote pre-shared key authentication:
id: 10.0.1.45
tunnel1: TUNNEL, rekeying every 3600s, dpd action is start
local: 192.168.15.0/24
remote: 192.168.45.0/24
The output should indicate that the tunnel is “Up” and “Installed,” confirming successful negotiation and establishment of the IPsec tunnel.
Similarly verify the status on WeOS 4:
siteA:/#> show tunnel ipsec
Troubleshooting
- Ensure that the pre-shared key (
secret) matches on both devices. - Verify that the local and remote subnets are correctly configured and do not overlap incorrectly.
- Check that the cryptographic parameters (cipher, auth, DH group) are supported and match on both sides.
- If the tunnel does not come up, review the system logs for errors related to IKE negotiation.
Summary
This guide demonstrates how to configure a site-to-site IPsec tunnel between WeOS 5 and WeOS 4 using IKEv1. While IKEv1 is considered legacy, it is still required for interoperability with older devices. For new deployments, consider using IKEv2 for improved security and reliability.